New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit

Observed in the wild as early as 2016, Azorult is a Trojan family which has been delivered in malicious macro-based documents via spam campaigns, or as a secondary payload in the RIG Exploit Kit campaigns. On October 20th, 2018 we discovered that new Azorult variants were being used as primary payloads in a new ongoing campaign using the Fallout Exploit Kit. We named this campaign ‘FindMyName’ because all of the final exploit pages land on the domain findmyname[.]pw. These new Azorult samples variants use advanced obfuscation techniques, such as API flooding and control flow flattening, to evade anti-virus products. Also, we discovered that Azorult has further evolved, the samples we captured support stealing sensitive information in more browsers, applications, and cryptocurrency wallets than previous versions.

In this blog we will cover the FindMyName campaign, the new Azorult malware, and the obfuscation techniques used.

First stage of FindMyName Campaign

October 20th is when we first observed the new campaign we are dubbing FindMyName. In the following 3 days, 5 different URL chains, listed in appendix 1, led to the delivery of the Fallout Exploit Kit. All 5 different URL chains redirected victims to one domain, findmyname[.]pw.

The steps in the first stage of FindMyName campaign are shown in Figure 1.

Figure 1 Overview of the first stage of the attack

Although the 5 final pages in findmyname[.]pw were different, the content of them were similar. An example of the Fallout Exploit Kit landing page is shown in Figure 2.

Figure 2 obfuscated landing page

The Fallout Exploit Kit uses several html tags such as span, h3, and p to hide the real exploit code with highly obfuscated tag content. After decryption, the real VBScript code exploits an IE VBScript vulnerabilityCVE-2018-8174 which was patched in August.

Figure 3 Exploit code snippet of CVE-2018-8174 in Fallout Exploit Kit

After the exploit succeeds, this Fallout Exploit Kit downloads a “.tmp” file to the %Temp% directory and calls CreateProcess to execute it. Further analysis revealed that the “.tmp” file was the latest variant of Azorult malware. It was the first time we’ve seen the new variant of Azorult malware used as primary payload for Fallout Exploit Kit.

Second stage of FindMyName Campaign

In this section, we focus on analyzing the latest variant of Azorult malware we captured.

Malware Analysis Overview

The Azorult malware family is a commercial Trojan sold on underground forums. We observed 3 new variants of Azorult malware in the recent FindMyName campaign. When we discovered them, 2 of the 3 samples had not been seen in the wild yet. One of the new Azorult samples we captured and analyzed has the following malicious features (some of these features are explained in detail in the next section):

Evades anti-virus emulator through API flooding.

Thwarts reverse engineering analysis through a control flow flattening technique.

Uses a process hollowing technique to build the new malware image.

Steals credentials, cookies, histories and autofills for more browsers than previous versions.

The initial Azorult malware was written in Microsoft Visual C++ 7.0. First, the Azorult malware attempted to use control flow flattening obfuscation to thwart reverse engineering analysis as shown in Figure 4. Second, the sample used an API Flooding technique as shown in Figure 5. API Flooding is a malware technique to evade anti-virus emulators. For timely performance concerns, anti-virus emulators set a timer when emulating the executable file on the host machine. If the emulator emulates hundreds of time consuming functions, the emulator times out and marks the file as benign.

Figure 4 control flow flatten

Figure 5 API flooding

Process Hollowing

Azorult uses a process hollowing technique to build the new malware image. First, the sample decrypts the payload in the memory. Then the sample creates a new suspended process of itself. The sample then injects a decrypted payload to the new process. Lastly, the sample resumes new process execution and exhibits malicious behaviors. The overview of the sample execution is shown in Figure 6.

Figure 6 Sample process hollowing

C2 Communication

The new trojan file dumped from the process was coded in the Delphi language. When the sample executes, it immediately connects to a C2 server for further instructions. In order to evade Intrusion Prevention Systems (IPS), the C2 traffic is obfuscated. The data sent back to the C2 includes a unique victim ID for each victim’s machine by encoding the machine GUID , Windows product name, user name and computer name with hash algorithm. Then the malware decrypts a C2 address and sends a POST request to 51[.]15[.]196[.]30/1/index.php with the encrypted victim’s ID. The C2 traffic is shown in Figure 7. The detailed example about hash algorithm and encryption is listed in Appendix 1.

Figure 7 C2 request

The sample decrypts and validates the C2 response. The decrypted C2 content had three parts. The part contained inside the <n></n> tags contains 48 legit DLLs which are used for information stealing, described in the following sections. The part inside the <d></d> tags contains application information for information stealing: application path, related registry and credential file names. The part in the <c></c> tags contains a C2 configuration for the sample. The C2 configuration is shown in Figure 8. According to pcap analysis, we identified the following characters checked by this sample.

Figure 9 shows an example of C2 configuration for stealing sensitive information from Firefox and Thunderbird.

Figure 9 C2 configuration for information stealing

The overview of C2 traffic is shown in Figure 10.

Figure 10 C2 traffic overview

Information stealer

The sample stole credentials and user data from thirty-two browsers including Chrome, Firefox and Qihoo 360. The full list of browsers is in Appendix 2. To steal credentials from browsers, the sample downloaded 48 legitimate dll files from C2 response to %AppData%LocalTemp2fda folder as shown in Figure 11.

Figure 11 legit dll files

The purpose of this action is to load nss3.dll and load the following functions:

sqlite3_open

sqlite3_close

sqlite3_prepare_v2

sqlite3_step

sqlite3_column_text

sqlite3_finalize

NSS_Init

PK11_GetInternalKeySlot

PK11_Authenticate

PK11SDR_Decrypt

NSS_Shutdown

PK11_FreeSlot

These functions are used to dump sensitive browser information. For example, the malware tried to use sqlite3_* functions to get the Firefox browser history information as shown in figure 12.

Figure 12 steal Firefox sensitive information using APIs in nss3.dll

Here is another example of a user name and password being stolen, this time from saved Chrome data. The sample searched the path “%LOCALAPPDATA%GoogleChromeUser Data” for file “Login Data”. If found, the sample copies the “Login Data” file to the %AppData%LocalTemp directory and called sqlite3_prepare_v2 function from nss3.dll to exfiltrate credentials with SQL query: “SELECT origin_url, username_value, password_value FROM logins” as shown in Figure 13.

Figure 13 select strings for stealing browser credentials

The malware also withdrawals cookies, bookmarks, and autofill information from the aforementioned browsers. Credential information is saved to PasswordsList.txt and cookies are saved to CookieList.txt.

Additionally, the sample steals the following cryptocurrency wallets:

Ethereum

Electrum

Electrum-LTC

Jaxx

Exodus

MultiBitHD

Th malware tries to find the specified file including sensitive information of cryptocurrency wallets. For example the sample tried to find and send “mbhd.wallet.aes” file located in “CoinsMultiBitHD” as shown in Figure 14.

Figure 14 steal cryptocurrency wallets

The sample steals credentials and user data from popular applications including Thunderbird, FileZilla, Outlook, WinSCP, Skype, Telegram and Steam. It also steals files from the Desktop. For example, the sample tries to find “D877F783D5*.map*” file under “%appdata%Telegram Desktoptdata” directory to steal sensitive information from Telegram as shown in Figure 15.

Figure 15 steal applications credentials

The sample collects the user information including current processes, installed software, system language and time zone. The harvested credentials and user information are then sent back to the C2. Here are some highlights about system information stealing.

The malware captures a screenshot of the victim’s computer and saves it to an image file named scr.jpg as shown in Figure 16.

The attacker can remotely control the infected system to execute any file through Create Process or ShellExecute as shown in Figure 18. We also observed that it had the behavior of accessing a malicious URL to get the file: plugin-update[.]space/download/10.17.18.exe.

Figure 18 call CreateProcess or ShellExecute to execute the file

This new variant of Azorult also has the capability to execute malware with local system privileges. It will check the current SID and token by following logic as shown in Figure 19:

If the current integrity level is local_system

It will call WTSQueryUserToken and CreateProcessAsUser to start a new process with system privilege as shown in Figure 20.

Figure 19 Check SID and token

Figure 20 create process as local system privilege

Erasing Hints and Deleting Files

We also found that the malware erases all of the files located in “%temp%2fda” and deletes files according to the C2’s command as shown in Figure 21 and Figure 22.

Figure 21 Erasing Hints of Infection

Figure 22 delete files according C2 command

Conclusion

A presumed new campaign surfaced in late October that caught our attention. In the span of 3 days, 5 Fallout Exploit Kit URL chains were observed, all landing on an exploit page hosted on domain findmyname[.]pw. There is a new variant of Azorult malware found to be used as a payload for Fallout Exploit Kit. It has updated features compared to the previous versions and supports stealing from more software and cryptocurrency wallets than ever before.

Organizations with up-to-date Windows hosts have a much lower risk of infection. Palo Alto Networks’ customers are further protected from this threat. Our threat prevention platform detects both Fallout exploit kit and Azorult malware. AutoFocus users can track this activity using the AzoRult tag.

Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets.
Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.

Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target.
Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.